‘Not that hard to execute if attacker has access to a monitoring platform running Cacti’

Critical IP spoofing bug patched in Cacti

A dangerous bug in Cacti, the RRDTool frontend and performance/fault management framework, potentially allowed attackers to run arbitrary PHP commands on the server.

Cacti is a popular open-source network graphing, monitoring, and fault-management tool written in PHP. RRDTool stands for round-robin database tool.

While Cacti is not usually meant to be accessible from public networks, an attacker with network access to the server would be able to leverage the remote code execution (RCE) bug without authentication.

The flaw affects version 1.2.22 and has been patched in versions 1.2.23 and 1.3.0.

Flimsy safeguard

The vulnerability resides in a PHP file in Cacti that allows remote agents to run different actions on the server. The only safeguard this file offered was to check whether requests were coming from an authorized IP address. Unfortunately, however, IP addresses can be spoofed with the right configuration of HTTP headers.

This allows an attacker to gain access to the file’s commands without being authenticated into the Cacti application.

Read more of the latest PHP security news

“The exploit is not that hard to execute if the attacker has access to a monitoring platform running Cacti,” Mark Brugnoli-Vinten, one of the maintainers of Cacti, told The Daily Swig.

“Most installations that I know of do not advertise themselves over the internet so the impact is mostly reduced to internal intrusions. If they have access to your internal network, there are larger problems at play, but this could be used by them.”

Command injection

One of the functions in the vulnerable file, called polldata, loads data from the backend database based on user-provided arguments. If the server is configured to allow PHP script actions, the attacker could use this command to execute arbitrary scripts on the server.

According to the advisory for the bug, this configuration is “very likely on a productive instance because this action is added by some predefined templates”.

Said Brugnoli-Vinten: “When exploited, it grants the attacker the ability to run commands under the same user that the website process is executing.”

But, he added, as long as your system “is secured using recommended safety/security procedures, such as AppArmour/SELinux or even separate user/group permissions, then the impact should be fairly limited”.

Secure PHP coding lessons

The bug was assigned a critical CVSS score of 9.8, which “is one of the reasons we published the advisory before the release was complete,” Brugnoli-Vinten said.

The team patched the vulnerability with the help of Stefan Schiller, security researcher at Sonar, who first reported the bug through GitHub’s advisory system.

The flaw held some lessons in secure PHP coding for the Cacti team.

“In recent years, I’ve taken to saying that you should never trust the input from a user, make sure it’s validated. However, the same also applies to settings in the environment,” Brugnoli-Vinten explained.

“PHP, for example, provides a lot of information in the $_SERVER variable, and even experienced users of the language may not realize which entries are set by the system and which are provided by the browser. If it can come from the browser, it can be spoofed.”

YOU MIGHT ALSO LIKE Akamai WAF bypassed via Spring Boot to trigger RCE